csc 495.002 lecture 1 course introduction · 2017. 11. 15. · dr. ozg¨ ur kafalı¨ course...

CSC 495.002 – Lecture 1Course Introduction

Dr. Ozgur Kafalı

North Carolina State UniversityDepartment of Computer Science

Fall 2017

COURSE OVERVIEW

Basics

Dr. OzEmail: [email protected] for announcements and assignmentsCourse website: https://ozgurkafali.github.io/courses/ncsu/csc495Hours: MW 11:45AM-1:00PMLocation: EB2 1226No TA

Dr. Ozgur Kafalı Course Introduction Fall 2017 1 / 46

https://ozgurkafali.github.io/courses/ncsu/csc495

COURSE OVERVIEW

Grading

30% – Individual homework assignments (4 best grades out of 5assignments)

30% – Two group case studies (analysis and in class presentation)

40% – One group project (project report and in class presentation)

No midterm or final


COURSE OVERVIEW

Homeworks

Goals:Learn to do critical reviews on privacy papersExtract privacy requirements/concerns from text-based scenariosInvestigate tools for privacy risk mitigationReview TED talks on privacy

Individual assignmentsWhen submitting any report:

Use your own words when describing the papers or other materialyou find onlineDo not borrow words from the authors (unless you are referring to aspecific technical term, e.g., information disclosure)


COURSE OVERVIEW

Case Studies

In class exercisesInvestigate privacy incidents

Work individually and in groupsAggregate and analyze resultsPresent findings

Play a privacy card game (if everything goes well . . . )Play individuallyPlay in groupsAnalyze strategies


COURSE OVERVIEW

Projects

Goals:Give you experience (both research and development) on a specifictopic related to privacyCollaboration within group members as well as among groupsWork with deadlines, prepare deliverables, present work done

Work in groups of 2–3A project can be chosen by multiple groupsEncourage publication from good projects


COURSE OVERVIEW

Research Interests

Artificial intelligenceMultiagent systemsComputational logicOnline social networks (OSN)Strategic games


COURSE OVERVIEW

Topics

Web/Online Social Networks PrivacyArtificial Intelligence for PrivacyUsable PrivacyPrivacy PerceptionsMisc Topics


COURSE OVERVIEW

Topics: Web/Online Social Networks Privacy

Growing privacy concerns inonline social networksSharing behaviors of usersCommon violations and regretscenariosMethods for targeted advertisingand how to mitigate thoseK-anonymity for ensuring privacyof datasets

Foursquare app: https://www.buzzfeed.com/ashleyperez/creepers-r-us


COURSE OVERVIEW

Topics: Artificial Intelligence for Privacy

Privacy aware autonomous systemsDesign and maintenance of autonomous systems using AItechniques such as negotiation and argumentationFrameworks for elicitation, modeling, and verification of privacyrequirementsPrivacy normsPrivacy breaches as norm violations


https://www.buzzfeed.com/ashleyperez/creepers-r-us

COURSE OVERVIEW

Topics: Usable Privacy

Designs for usable privacy interfaces

Privacy nudges for warning users of potential privacy risks

Semantic analysis of privacy policies


COURSE OVERVIEW

Topics: Privacy Perceptions

Studies and surveys regarding human mental models aboutprivacy concerns

Differences among cultures

Longitudinal studies about changes in privacy perceptions


COURSE OVERVIEW

Misc Topics

Crowdsourcing privacy policies

Mobile application privacy

Privacy measurement


COURSE OVERVIEW

Learning Outcomes

Learn various evaluation methods: Empirical, formal, case studiesUnderstand personal identifiable information in databases andtechniques to anonymize and protect such informationDescribe attacks against anonymized datasetsUnderstand privacy risks when sharing personal data online anddesign mechanisms for mitigating such risksDescribe privacy requirements and AI techniques for designingprivacy-aware autonomous systemsDesign usable privacy interfaces and tools that balance privacypreserving and user functionalityIdentify and describe important elements of privacy policies andregulationsUnderstand human attitudes to and perceptions of privacy


COURSE OVERVIEW

Outcomes (For the Instructor)

Convert some of you into the world of academics

Assignments prepared accordingly to give you researchexperience

Even if you choose a developer path, you will be able to developsoftware with privacy awareness


COURSE OVERVIEW

Lectures

Look at a common and important privacy problemStart with problem descriptionLook at real world applications/cases and potential implicationsLearn about sample solutionsShort exercises throughoutCollaboratively analyze relevant incident(s) from the PrivacyIncidents Database (Bring your laptop)

1 Think individually2 Discuss with your neighbor3 Class discussion


INTRODUCTION TO PRIVACY

Privacy

Privacy is very important . . . whatever it isJ. J. Thomson: “Perhaps the most striking thing about the right toprivacy is that nobody seems to have any clear idea of what it is”A good or a bad thing? A right or a preference?

Physical privacy:“Right to be left alone”“Freedom from unauthorized intrusion”

Privacy is very broadScope it to data privacy

Kieron O’Hara. The Seven Veils of Privacy. IEEE Internet Computing, 20(2):86–91, 2016



Oops, They Did It Again

13 hospital workers fired in LA for snooping in Britney Spears’medical records

HIPAA prohibits accessing medical records without a valid reasonViolation: Just because she’s a celebrity is not a valid reason

How to detect such violations?Role-based access controlLog accessAre those enough?

http://www.avant.org.au/news/20160622-improper-access-of-medical-records/

http://articles.latimes.com/2008/mar/15/local/me-britney15


http://www.avant.org.au/news/20160622-improper-access-of-medical-records/

http://articles.latimes.com/2008/mar/15/local/me-britney15


How the Camera Doomed Google Glass

Early adoptersUsability: “It was not very useful for very much”Privacy: “Disturb people around me that I have this thing”

Mitigation: Use the same way we use sunglasses – usually takenoff when we’re with people

http://www.cnn.com/2013/12/10/tech/mobile/negative-google-glass-reactions/index.html

https://www.theatlantic.com/technology/archive/2015/01/how-the-camera-doomed-google-glass/384570/



Target Discovers Pregnancy Before Parents

Identify 25 products that indicate potential pregnancy, sendcoupons accordinglyDad goes to store to show coupons sent to her teenage daughterMitigation: Mix in ads that pregnant women never buy, so babyads look random

http://www.businessinsider.com/the-incredible-story-of-how-target-exposed-a-teen-girls-pregnancy-2012-2


http://www.cnn.com/2013/12/10/tech/mobile/negative-google-glass-reactions/index.html

https://www.theatlantic.com/technology/archive/2015/01/how-the-camera-doomed-google-glass/384570/

http://www.businessinsider.com/the-incredible-story-of-how-target-exposed-a-teen-girls-pregnancy-2012-2


Privacy Definitions

Numerous examples

Let’s try to come up with some definitions



Privacy Incidents

An instance of accidental or unauthorized collection, use orexposure of sensitive information about an individual

An event that creates the perception that unauthorized collection,use or exposure of sensitive information about an individual mayhappen

https://sites.google.com/site/privacyincidentsdatabase/


https://sites.google.com/site/privacyincidentsdatabase/


Data Collection, Storage, and Usage

Collection: What personal information is collected byorganizations?

Storage: How do organizations store personal information? Is itkept secure?

Usage: How do organizations use personal information? Whomdo they share it with? Do they make users aware, e.g., ask forconsent?



Contextual Integrity

Ensuring appropriate information flows respectful of social normsin a given contextNorm: Patient health information should not be disclosedContext:

During a consultation, it’s appropriate for a patient to disclosehealth information to the doctorDoctor may consult a colleague about the patient to exchangediagnosis

How about doctor disclosing health information to a doctor friendat a party? Same action, different setting

Nissenbaum. Privacy in Context: Technology, Policy and the Integrity of Social Life. Stanford University Press, 2009



Normative Privacy

Norms, expectations, conventions, regulationsWhen a crime victim tells police about perpetrator, does it violatecriminal’s privacy?In this case, the norm works against privacy, for good socialreasons

Alice wants personal spacePuts a fence around her houseFew people cross itAlthough there’s nothing physical to stop them

Patient consultation example: Alice expects confidentiality (herhealth information won’t leave the medical system)




Sociotechnical Systems

People and software

Technical and social considerations meet

InteractionsUser use softwareUsers interact with each otherSoftware components communicate with each other



Laws and Sanctions

Norms can be turned into laws or regulationsNot only conventional but also compulsorySanctions would apply in case of violationsPrivacy law: Organizations’ practice with personal data




Privacy Engineering

Integrating privacy solutions into everyday engineering practices

Data protection requirements

Beyond data breaches: Perceptions matter too

Seda Gurses and Jose M. del Alamo. Privacy Engineering: Shaping an Emerging Field of Research and Practice. IEEE Security& Privacy, 14(2):40–46, 2016



Transitional Privacy

Privacy through friends

Cannot always control what other people do


WHAT TO EXPECT

Typical Privacy Problems

Identify common privacy problems

Analyze sample solutions


WHAT TO EXPECT

Inference

http://www.huffingtonpost.com/2013/11/13/smartphones-restrooms-bed-use-survey n 4266701.html


WHAT TO EXPECT

Inference Possible

The guy on the left is significantly different from the othersWhen you see him outside (new information), you might recognize


http://www.huffingtonpost.com/2013/11/13/smartphones-restrooms-bed-use-survey_n_4266701.html

WHAT TO EXPECT

Anonymization of Datasets

Provide researchers with useful dataProtect user privacy by anonymizing columns and rows


WHAT TO EXPECT

Sharing Content

https://www.ted.com/talks/alessandro acquisti why privacy matters#t-53301


https://www.ted.com/talks/alessandro_acquisti_why_privacy_matters#t-53301

WHAT TO EXPECT

Unintended Disclosure

Intrusion, embarrassmentUnintended audience

http://www.cbsnews.com/news/senator-pat-roberts-unexpected-ringtone-frozen-let-it-go/


WHAT TO EXPECT

Sharing vs Revealing

To whom your shared content will reach

“If I cannot shout it out in the middle of downtown, I’d not say itonline”

Differential privacy: You may share, but not reveal anything


http://www.cbsnews.com/news/senator-pat-roberts-unexpected-ringtone-frozen-let-it-go/

WHAT TO EXPECT

Regrets

Regrettable actions, e.g., send email to wrong recipientsHow to avoid those


WHAT TO EXPECT

Targeted Advertising

Look at shoes at store They come with you to the news

How does it happen?How can you avoid it?


WHAT TO EXPECT

Multiparty Privacy: Argumentation

After tsunami disasterArguments for/against sharing the picture

Not share: Hand gestures not appropriateShare: Shows difficult situation of survivors, would encouragepeople to help

Fogues et al. Sharing Policies in Multiuser Privacy Scenarios: Incorporating Context, Preferences, and Arguments in DecisionMaking. ACM Transactions on Computer-Human Interaction, 24(1):5:1-5:29, 2017


WHAT TO EXPECT

AI for Privacy: Negotiation

Runtime configuration of app permissionsNegotiation between the user and the app provider


WHAT TO EXPECT

Usable Privacy

Utility vs privacy: You want my password or a dead patient?How to prevent privacy messing up functionality?

Koppel et al. Workarounds to computer access in healthcare organizations: You want my password or a dead patient? Studies inHealth Technology and Informatics, 208:215220, 2015


WHAT TO EXPECT

Metrics and Measurement

How much privacy is enough? Or too much?

https://pusz4frog.wordpress.com/category/technology-2/


https://pusz4frog.wordpress.com/category/technology-2/

WHAT TO EXPECT

Privacy Policies

Nobody reads privacy policiesFacebook privacy policy is longer than the US constitution

http://www.huffingtonpost.com/2010/05/12/facebook-privacy-policy-s n 574389.html


WHAT TO EXPECT

Westin Privacy Index

Classify the public into three categoriesFundamentalist (25% of Americans): Distrustful of organizations,refuses to give out personal informationPragmatist (55% of Americans): Weighs the value of consumeropportunities, aware of privacy risksUnconcerned (20% of Americans): Doesn’t know what the“privacy fuss” is about

Westin. Privacy and Freedom. Administrative Law Review, 22(1):101–106, 1969


http://www.huffingtonpost.com/2010/05/12/facebook-privacy-policy-s_n_574389.html

WHAT TO EXPECT

Privacy Surveys

Why are user studies on privacy not convincing?Question: How would you feel about a mobile app that tracks yourlocation whereever you go? [You cannot turn it off]How about: The app offers discount coupons based on yourfavorite locationsHow about: The app sends your location to third parties. . . potentially malicious people might access your locationIncentives change based on circumstancesPrivacy paradox: Reported vs actual behavior


WHAT TO EXPECT

Cultural Differences

Not so private More private


WHAT TO EXPECT

Wisdom of Crowd


csc 495.002 lecture 1 course introduction · 2017. 11. 15. · dr. ozg¨ ur kafalı¨ course...

Documents